1. Hot Wash

1. 1. 1. The Crisis Manager gathers everyone who was involved in the incident
      2. Go through the incident, phase by phase, and focus on the facts. Cover only the main points. Who, What, Where, Why happened?
      3. Clear up any misunderstandings as you go; this is not a lecture rather a discussion of the events and response
      4. Set a time for group debriefs (if applicable) and focus on learning from what happened (circuit learning).
         • 1-3 points that the group would like to “sustain.” These are areas that your organization did well, and that should stay in the plan
         • 1-3 points that the group would like to “improve.” These are areas that require refinement and will drive changes in your response and focus on future training.
      5. This discussion is not a critique of any kind but a review of how the plan worked.

2. Group Debriefs

1. 1. 1. Separate the different teams into groups focusing on their specific contribution to the response.  
      2. Discuss a more in-depth review of their actions, small details that define their response.
      3. Document Lessons Observed; more on this below.

3. Circuit Learning

1. 1. 1. Single Circuit Learning:
         Cases that individuals can (or did) address there and then remedy the situation. These can be simple cases for intrinsic/simple safety and security. Actions that were performed immediately and during the incident to make it more productive for you and your team.
         
         Example: You put your computer on the charger (to make sure you were available and online during the incident).
         
         
      2. Double Circuit Learning:
         Challenges individuals cannot solve independently; several people must contribute to solving the problem. The challenge may be that procedures or materials do not work satisfactorily and can pose a risk to handling the incident.
         
         Example: Your Internet Service Provider (ISP) isn’t the best, and it’s hard to follow the meetings with the crisis management team (so you need to order from another ISP to make sure you can participate effectively the next time)
         
         
      3. Triple Circuit Learning:
         Challenges that could change your operations pattern and require an entirely new way of approaching the problem. It is sometimes a comprehensive process that is usually solved internally at the department and requires potential clients, tech, and other professionals.
         
         Example: You don’t have the necessary or appropriate tools to deal with the incident digitally, and you need to scan the market for potential critical event management software, buy it, implement it and start exercising with it (to be more efficient and make sure you are well prepared for the next time).

4. Emergent Learning 

Emergent learning or “experience management”  is a comprehensive system for reporting and processing "lessons observed." Implementing change measures to achieve a measurable effect and continuous improvement. This process is based on previous experience data where hypotheses were tested in a group or entire organization.  The group must identify the recurring problem, develop a theory on how to solve that problem, gather data as the hypothesis is tested, and draw conclusions based on the outcome.  This process is how scientists develop new advances in their field, and doctors evaluate the best practice for medical treatments. Creating a strategy can be difficult in a large organization because of the myriad factors contributing to the outcome.  However, with adequate data, emergent learning can improve processes and outcomes in almost any field.  One efficient way of processing data and creating hypotheses is to move from lessons observed to lessons learned.  If lessons observed are never acted upon, they will remain in that category.  By examining observations and moving that lesson into the learned category, our organization is more robust and will improve processes. 

• • • • Lessons Observed (LO)

        • Observations or experiences that reveal a risk or a potential for improvement within a specific area or activity.  Observations that are not further processed remain a LO.

Example: If we’ve installed an alarm, the alarm will notify us in the event of a burglary. Meaning we reduce the potential of burglary, and if it happens - we could reduce the damage.

• • • • Lessons Identified (LID)
        An elaborated observation or experience where:

1. 1. 1. 1. 1. The fundamental causal relationship is known.
            2. Temporary measures have been implemented.
            3. Recommended measures are disseminated through the chain of command
            4. The right decision-making authority has implemented corrective actions.
               

Example: There is a hole in the fence because someone made a hole in the fence. You fix the hole in the fence with what you have at hand. You inform your manager that there was a hole in the fence that you closed temporarily. Your manager instructs the technical manager to send a team out to fix all the fences.

• • • • Lessons Learned (LL)

1. 1. 1. 1. 1. Measurable improvement and strengthened capability are the results of the implemented measures derived through LID.
            2. Change of operating concepts/programs.
            3. Material.
            4. Competence / education / training.

Example: You install CCTV and have guards patrolling the fenced area, or you start using infrared sensors instead of the fence. You find out that the fence materials aren’t of the highest quality, and you order a new kind of fence. You run a workshop to train your personnel on how to inspect fences and how to fix them. You explore the fence’s weaknesses and send people to the factory to learn more about how to put up and maintain a good fence properly.

5. Observe, Orient, Decide, Act “OODA” Loop

First developed by an American fighter pilot from the Korean War, the OODA Loop consists of a constant re-evaluation of available information that an individual observes, eventually leading to action. This strategy is also applicable to those of us out of the cockpit.  

Observation should be continuous in any critical incident.  One must constantly be observing the environment around themselves to be able to respond to changing conditions.  Through observation, one might find by reading a Material Safety Data Sheet (MSDS) that a routine spill cleanup may be a toxic substance, and an outside agency will need to handle the situation appropriately.

Orientation refers to the way that the responder intends to act based on their observations.  When these observations are processed in the brain and into context based on a few facto, two of these factors are new information and the most relevant to this article,  previous experience. Information is constantly being fed to our brain during the situation and filtered through our previous experiences.  

The information gleaned from our Post-Incident Management process has given us the framework to sustain and improve our plan.  Those points now become part of our previous experience filter and guide us through the loop.  If I know that I waited too long to disconnect the servers during a cyber-attack drill in the past, I will be faster at doing that during my next experience with that scenario.  

The next item in the OODA Loop is to decide.  I have taken my observations and ran them through my previous experience filter in my brain during the loop’s orientation phase. I will decide on the action that I will take to deal with the situation.  I will let those responders around me and those in management roles know my intentions, and lastly, I will act on that decision.  

They are described as a loop because they constantly observe their surroundings, orienting, deciding, and acting.  Most of us have been part of a decision-making process that we know isn’t right for the scenario and stuck with the plan despite our gut feeling of needing to change the plan.  If we learn from that potentially disastrous experience and implement the OODA Loop, our organization will grow and improve with each training or how we respond to an actual incident.